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Abstract 

o 

Permissive-Nominal Logic (PNL) extends first-order predicate logic with term-formers 
that can bind names in their arguments. It takes a semantics in (permissive-)nominal 

O' ' sets. In PNL, the V-quantifier or A-binder are just term-formers satisfying axioms, and 

their denotation is functions on nominal atoms-abstraction. 

Then we have higher-order logic (HOL) and its models in ordinary (i.e. Zermelo- 
1/3 Fraenkel) sets; the denotation of V or A is functions on full or partial function spaces. 

1 ^1 This raises the following question: how are these two models of binding connected? 

What translation is possible between PNL and HOL, and between nominal sets and 
^ functions? 

We exhibit a translation of PNL into HOL, and from models of PNL to certain models 
I of HOL. It is natural, but also partial: we translate a restricted subsystem of full PNL 

to HOL. The extra part which does not translate is the symmetry properties of nominal 
sets with respect to permutations. To use a little nominal jargon: we can translate names 
^ and binding, but not their nominal equivariance properties. This seems reasonable since 

^-H HOL — and ordinary sets — are not equivariant. 

^-H Thus viewed through this translation, PNL and HOL and their models do different 

^ things, but they enjoy non-trivial and rich subsystems which are isomorphic. 

> 
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1. Introduction 

Permissive-Nominal Logic (PNL) extends first-order predicate logic with term-formers 
that can bind names in their arguments. For instance, arithmetic, set theory, and func- 
tions axiomatise naturally in PNL; their binders are modelled as ordinary PNL term- 
formers and their axioms look very much like the axioms normally written in informal 
practice. PNL is sound and complete for a first-order style semantics in (permissive- 
nominal) sets [DGll, Gabllb]. This captures the essence of nominal techniques, whose 
initial motivation has been to handle names and binding in a first-order framework. 

Higher-order logic (HOL) also has binding [Mil92, Far08]. This has been used to 
encode other binders, e.g. the Church encoding of quantifiers as constants of higher type 
such as V : (i— >o)— >o [And86, Chu40]; higher-order abstract S5mtax (HOAS) encoding 
term-formers of an encoded S5mtax with binders as constants of higher type such as 
V : {l^p)^p or V : {v^p)^p (strong vs. weak HOAS)i [DH94, PE88]; and higher-order 
rewrite systems [MN98]. 

This paper is not about how PNL and HOL can be used as meta-mathematical rea- 
soning frameworks, or about what models look like expressed as nominal sets or as 
functions. The deeper point is that we have before us two foundations for mathematics. 
The question we address is then as follows: There is a 'nominal' model of names and binding 
which can be applied in various ways, and also afunctional model which can also be applied in 
various ways. These are captured by two logics — PNL and HOL — and by their nominal and 
functional denotations respectively. We observe that these are clearly different, yet their appli- 
cations just as clearly overlap. So, what positive and mathematically precise statements we now 
make about their relationship? 

Since PNL is first-order and has a sound and complete semantics (so expressivity 
and models are fairly 'small'), whereas HOL is higher-order (so expressivity and models 



^ A word of clarification here: we take o to be a type of truth-values, i, to be a type of terms, and p to be a type 
of predicates. V-the-quantifier generates truth-values, whence the type headed by o, namely V : (t— s>o)— s>o. 
V-the-syntax-building-constant in HOAS generats terms, whence the types headed by p, namely V : {i^p)-^p 
or V : {u~^p)~^p. Do not confuse a HOL constant for a HOAS-style binder (a way to give meaning to building 
syntax with binding) with a HOL constant for the corresponding quantifier (a way to give meaning to what 
that that syntax is intended to denote; namely, actual quantification). 
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are fairly 'large'), the natural direction for a translation is from nominal sets and PNL, 
to functions and HOL.^ 

This raises the question of how PNL translates to HOL, and how PNL models trans- 
late to functional models. 

In this paper we translate a subsystem of PNL into HOL and prove it sound and 
complete using arguments on nominal sets and and nominal renaming sets models 
[GH08]. The proof of completeness involves giving a functional semantics to nomi- 
nal terms, and a nominal semantics to A-terms in the spirit of Henkin models [And86, 
BBK04] . This involves a construction on nominal sets models corresponding to a free 
extension to nominal renaming sets, as previously considered by the second author with 
Hofmann [GH08]. 

The partiality of the translation seems to be inherent and reflects natural differences 
in structure between nominal and 'ordinary' sets. That is, it is not the case that nominal 
techniques are 'just' a concise presentation of HOL with a weakened /3-equivalence (e.g. 
higher-order patterns [Mil91]). There is that, but there is also more. Thus, the nominal 
and functional models of names and binding are distinct, but they have non-trivial and 
rich subsystems which are isomorphic in a sense made precise in this paper. 

1.1. Some background on PNL 

We study PNL for its own sake in this paper, but the interested reader can find 
example nominal theories in the literature. PNL is designed as a first-order logic for 
denotations with binding. The reader can find sound and complete nominal algebra 
theories for substitution, /^-equivalence, and first-order logic [GM06a, GMIO, GM06c] 
(nominal algebra can be viewed as the equality fragment of PNL). Not all PNL theories 
are expressed in the equality fragment. For instance, in the paper which introduced 
PNL [DGIO] we included theories of first-order logic and arithmetic which put univer- 
sal quantification to the left of an implication. This cannot be done in nominal algebra 
because it is a purely equational logic. 

To give some idea of what this family of logics looks like in practice, assume a name- 
sort 1/ and a base sort l and term-formers lam : app : (t, and var : {lyji. (Full 
definitions are in the body of the paper) We sugar lam([a]r) to Xa.r and app(r', r) to r'r 
and var(a) to a. Atoms in PNL are a form of data and populate their own sort ly; so var 
serves to map them into the sort l, where they represent object-level variables. 

Here is 77-equivalence, written out as it would be informally: 

Xx.{tx)—t if a; is not free in t 
Here is a PNL axiom for ?;-equivalence, written out formally: 

yZ.{Xa.{Za) = Z) (a ^ pmss{Z)) 

(See [GMIO] for a detailed study of this axiom in a nominal context.) 

a is an atom and corresponds to the object-level variable x; a is not a PNL variable but 
it represents a variable of the object level system being axiomatised. Z is an unknown and 
correspond to the meta-level variable t; Z is a variable in PNL and may be instantiated. 



^In other words, we want a shalloiu embedding of PNL into HOL. A deep embedding e.g. of HOL in PNL is an 
answer to a different question; for more on this direction, see [GM09b]. 
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The reader can see how similar the two axioms look. Their status is different in 
the following sense: whereas t is typically taken to range over terms, Z ranges over 
elements of nominal sets (via a valuation; see Definition 6.3). This is possible because 
nominal sets have a notion of supporting set of atoms which mirrors the free variables of 
a term. 

The condition a ^ pmss{Z) is a typing condition in PNL. The types, or permission 
sets as we call them, restrict the support of denotations associated to Z by a valuation. 
They correspond to freshness side-conditions in nominal terms from [UPG04] and to 
informal freshness conditions of the form 'x not free in t' in informal practice. To see 
this intuition made formal see a translation from nominal terms to permissive-nominal 
terms in [DGMIO]. 

There is no requirement to axiomatise a-equivalence because this is done automati- 
cally by the PNL system. 

Sugar (Aa.r)r' to r[aH^7-']. Then axioms for /^-equivalence are: 

Vr. a[a^^Y] = Y 

yZ,X. Z[a^X] =Z {a^pmss{Z)) 
yX',X,Y. {X'X)[a^Y] = {X'[a^Y]){X[a^Y]) 
yX, Z. {Xa.X)[b^Z] = Xa.{X[b^Z]) (a ^ pms.s{Z)) 

VX X[a^a] =X 

Thus, the design philosophy of PNL is that axioms should look like what we would 
write informally anyway, where variables map to atoms, meta-variables to unknowns, 
binding to atoms-abstraction, and capture-avoidance conditions to choice of permission 
sets. 

Note that in the axioms above, a and b cannot be equal because they are distinct 
atoms, and atoms are data, not variables (a is a, and b is b, and they are distinct). More 
on this and on the use of permutations in the body of the paper ^ 

Equality reasoning is not necessary to a-rename atoms in PNL; we can quotient by 
a-equivalence so that we can rename Va.P(a) to V6.P(6) without proving a logical equiv- 
alence. This is unlike other 'nominal' reasoning systems, such as Fraenkel-Mostowski 
set theory as used by the author with Pitts to introduce nominal techniques in [GPOl], 
nominal rewriting by Fernandez and the second author [FG07], nominal algebra by the 
second author with Mathijssen [GM06b, GM07, GM09a], aProlog by Cheney and Urban 
[CU08], and other systems in the same spirit. 

1.2. Map of the paper 

This paper has a lot of technical ground to cover This is unavoidable, because we 
need to deal with two logics (restricted PNL and HOL) and two semantics (nominal sets, 
and the hand-crafted Henkrn models in nominal renaming sets used in the completeness 
proof), as well as two translations (from logic to logic, and from models to models). 

For the reader's convenience, we provide an overview of the main technical points 
with brief justifications for their design: 



^The axioms above also have typing constraints, because unknowns are typed with their permission set. 
These typing constraints turn out not to be so restrictive, for quite subtle reasons. The interested reader can 
find a discussion in [DGll, Subsection 2.7]. For the purposes of the discussion here, it is not important. 
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• Section 2 introduces permissive-nominal logic. This comes from previous work 
into 'nominal' axiomatisations of systems with binding [DGIO, DGll].* 

In fact, we need to introduce two logics: full PNL and also a restricted version 
which has a weaker non-equivariant axiom rule. We write the entailment relations 
h and F respectively. It is the restricted version that we will eventually translate 
to HOL. 

• Section 3 introduces higher-order logic as a theory over the syntax of the simply- 
typed A-calculus. We write the entailment relation 1^. 

• Section 4 defines the translation from restricted PNL to HOL, and proves it sound 
using arguments on syntax. In order to do the translation, we need to introduce a 
capture typing D \- r : A which is a measure of how many functional abstractions 
are required to translate a given nominal term without losing information; that is, 
of the functional complexity of a nominal term. 

• Our goal is then to prove completeness of the translation. We do this by transform- 
ing models of PNL into models of HOL. So Section 5 introduces two categories: 
PmsPrm of permissive-nominal sets and PmsRen of permissive-nominal renaming 
sets. We also give a free construction, transforming a permissive-nominal set into 
a permissive-nominal renaming set. 

• In Section 6 we interpret full and restricted PNL in PmsPrm. In Section 7 we inter- 
pret HOL in PmsRen. 

• Finally, in Section 8 we use the free construction of Section 5 to map a model of 
PNL in PmsPrm to a model in PmsRen, and because the free construction does not 
'make anything equal' this is sufficient to prove completeness. 

• As one further mathematical note, the results in the literature concern full PNL 
and not restricted PNL. So in Appendix A we sketch proofs of soundness, cut- 
elimination, and completeness of restricted PNL with respect to non-equivariant 
models in PmsPrm. These are modest, if not entirely direct, modifications of the 
existing definitions and proofs for full PNL and equivariant models in PmsPrm. 

Quite a number of new ideas are required to make this all work. The highlights are: 
permissive-nominal renaming sets and their application to give non-standard 'nomi- 
nal' Henkin models for higher-order logic; restricted PNL and its semantics; the free 
construction; and the technical arguments as discussed in Section 8. 

Given that the proofs and constructions in this paper are non-trivial and involve an 
effort to extend existing machinery, we should pause to ask again why doing this is 
justified, even necessary. 

Nominal techniques were designed originally to reason on syntax-with-binding (see 
the original journal paper [GPOl] or a recent survey paper [Gablla]). But since then 
this remit has expanded to reasoning about denotations with binding more generally 
(an overview of which is in [Gabllb]). In doing this, we have created a whole new 
syntax and semantics for meta-mathematics. 



^Note that PNL is not only about nominal abstract syntax as considered in e.g. [GPOl, Gablla]. Nominal 
abstract syntax is a denotation for S5mtax with binding. PNL and its models are a (more general) syntax and 
semantics for denotations with binding in general, which are not all necessarily datatypes of abstract syntax. 
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We will not argue for or against either the nominal foundation or the higher-order 
foundation for mathematics.^ Our question is: given that these two foundations exist, 
how do they relate? 

In fact, questions have been asked about how nominal names and brndrng are re- 
lated to f imctions, ever since nominal techniques were conceived in the second author 's 
thesis. Since then, the development of PNL [DGll] and nominal renaming sets [GH08] 
has given us two powerful new tools with which to address these questions: a proof- 
theory for a logic in which nominal reasoning so far can be formalised, and a visibly 
nominal semantics which is not based on permutations but on possibly non-bijective 
renamings on atoms, so that atoms-abstraction can be considered as a function in that 
semantics. 

In this paper, we leverage this to give a precise, concrete, and mathematically de- 
tailed account of how these two worlds really stand in relation to one another — and 
how they differ. In conclusion we speculate that there is some potential (not explored 
in this paper) that our translations might be used to piggyback nominal techniques on 
the substantial implementational efforts that have gone into developing HOL over the 
past seventy years. 

2. Permissive-Nominal Logic 

Permissive-nominal logic is a first-order logic for nominal terms quotiented by a- 
equivalence. Doing this is not entirely trivial; the interested reader can find more on 
this elsewhere [UPG04, DGIO, DGll, Gabllb]. 

1.1. Syntax 

Definition 2.1. A sort-signature is a pair {A, B) of name and base sorts, ly will range 
over name sorts; r will range over base sorts. A sort language is then defined by 



a ::= v \ {a, . . . ,a) \ [h']a \ t. 



Remark 2.2. Examples of base sorts are: 'A-terms', 'formulae', 'tt -calculus processes', 
and 'program environments', 'functions', 'truth-values', 'behaviours', and 'valuations'. 

Examples of name sorts are 'variable symbols', 'channel names', or 'memory loca- 
tions'. 

[h']a is an abstraction sort. This does a similar job to function-types in higher-order 
logic but note that u must always be a name-sort. The behaviour of a term of sort [i']a 
corresponds to 'bind a name of sort in a term of sort a'. Such a term does not denote 
a function, though later on in our completeness proof we will deliberately undermine 
that intuition to obtain our completeness result. 

Definition 2.3. A term-signature over a sort-signature {A,B) is a tuple {J^,V, ar,X) 
where: 



^There has been more than enough of that aheady, and anyway, because truth is free, proving theorems is 
never a zero sum game. 
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• T and V are disjoint sets of term- and proposition-formers. 

f will range over term-formers. P will range over proposition-formers. 

• ar assigns to each f e J" a term-former arity {q)t and to each P G P a proposition- 
former arity a, where a and t are in the sort-language determined by (A, B). 

We will write ((ai, . . . , q;„))t just as (ai, . . . , a„)T. 

• X is a set of unknowns X, each of which has a sort sort{X) and a permission 
set pmss{X), such that for each sort q: and permission set S the set {X G X \ 
sort{X) = a, pmss{X) = S} is countably infinite. X, Y, Z will range over distinct 
unknowns. 

A signature S is then a tuple {A, B, T, V, ar, X). 

We write f : {q)t for ar(f) = {a)T and similarly we write P : a for ar(P) = a. 

Example 2.4. The signature for the A-calculus from the Introduction has a name-sort for 
A-calculus object-level variables, a base sort for A-terms, and appropriate term-formers: 

• var : to form A-calculus variables in l out of names in v, 

• app for application, and 

• lam taking an abstraction in [v]b and forming from it a A-abstraction term in u. 

Definition 2.5. For each v fix a disjoint countably infinite set of atoms A,y, and an arbi- 
trary bijection /j, between Aj, and the integers Z = {0, -1, 1, -2, 2, . . .}. Write 

K = iUii) I i < 0} At = I i > 0}. 

Finally, write 

A< = |jAt a> = |Ja> a = |Ja, 

a, 6, c, . . . will range over distinct atoms (we call this the permutative convention). 

A permission set has the form (A* [JA)\B where A C A> and B C are finite (and 
a permission set may be finitely represented by the pair {A, B)). S, T, and U will range 
over permissions sets. 

The use of A"^ and A> ensures that permission sets are infinite and also co-infinite 
(their complement is also infinite). 



Definition 2.6. A permutation is a bijection tt on A such that a G A^ 7r(a) G Aj, and 
nontrw{Ti) = {a \ 7r(a) 7^ a} is finite. Write P for the set of permutations. 
Given a,b G let a swapping (a b) be the bijection on atoms that maps a to 6, 6 to a, 
and all other c to themselves. 



Notation 2.7. We use the following notation: 

• Write TT o tt' for functional composition, so (tt o 7r')(a) = 7r(7r'(a))). 

• Write id for the identity permutation, so id{a) = a always. 

• Write TT'^ for inverse, so tt o tt'^ = id. 
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Definition 2.8. For each signature S, define terms and propositions over S by: 



(a e A^) 


ri : ai . . . r„ : «„ 


r : a (ar(f) = io:)T) 


a : V 


(ri, . . . ,r„) : (ai, . . . ,q;„) 


f (r) : T 


r : a (a £ A^) 


(sort(X) = a) 




[a]r : 


TT-X : a 






(j) prop, i/i prop. 


r : a (ar(P) = a) 


_L prop. 


(p^ ijj prop. 


P(r) prop. 


prop. 






prop. 







Example 2.9. Continuing Example 2.4, we have the following terms and propositions: 

• var(a) : l where a E A^. 

• [a]X : where a E and sort{X) = l, and lam([a]X) : l. 

• VX.P(lam([a]X), X) is a proposition if P is a proposition-former and P : (t, t). 

2.2. Permutation, substitution, and so on 

These definitions are all needed for the rest of the paper, starting with a-equivalence 
in Subsection 2.3. We need them at both levels; both for atoms and for unknowns. 

Definition 2.10. Define a (level 1) permutation action on syntax by: 

TT-a = 7r(a) 7r-(ri, . . . , r„) = (7r-ri, . . . , 7r-r„) 

7r-[a]r = [7r(a)]7r-r tt^tt' -X) — [■no'K')-X 
TT-f (r) = f (tt-t) 

7r-_L = _L 7r-((/) ^ -i/;) = (tt-c/)) ^ (tt-'^) 

7r.P(r) = P(7r-r) 7r-(VX(/)) = VXtt-c/. 

Definition 2.11. Let 11 range over sort- and permission-set-preserving bijections on un- 
knowns (so sort{U{X))=sort{X) and pmss{I{{X))=pmss{X)) such that {X \ I{(X) 7^ 
X} is finite. 

Write Hon' for functional composition. Id for the identity permutation, and H"^ for 
inverse, much as in Notation 2.7. 

Define a (level 2) permutation action by: 

n-a = a n-(?'i, • • ■,rn) = (Il-ri, . . . ,n-r„) 

n-[a]r = Hn-r n-(7r-X) = 7r-(n(X)) 
n-f (r) = f (n-r) 

n-_L = _L n-(0^ 1/)) = (n-(/.) ^ (n-?/') 

n-p(r) = P(n-r) n-(vx.</>) = vn(x).n-0 

Definition 2.12. Suppose A is a set of atoms and tt is a level 1 permutation. Suppose U 
is a set of unknowns and 11 is a level 2 permutation. Define tt-A and IT C/ by 

TT-A = {n{a) \ aeA} and U-U = {U{X) \X eU}. 
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This is the standard pointwise permutation action on sets. 
Definition 2.13. Define free atoms fa{r) and fa{(j)) by: 

fa{-K-X) = T:-pjnss{X) fa{[a\r) = fa{r) \ {a} fa{a) = {a} 

/a(f(r)) = fa{r) fa{{n, r„)) = \JHn) 

fa{±) = ^ tA) = fa{(t>) U /a(^) 

/a(P(r))=/a(r) /a(VX.0) - /a(^) 

Define free unknowns fV{r) and by: 

/F(a) = /F(^-X) = {X} fV{f{r)) = /l^(r) 

/F([a]r) = fVir) /F((ri, . . . ,r„)) = \JfVin) 

fV{P{r)) - fV{r) fViyX.(b) - (0) \ {X} 

Lemma 2.14. fa{TT-r) — ■jT-fa{r) and fa{TT-4>) = 7r-/a(0). 
Also, fV{n-r) = n-fV{r) and fV(\l-cj)) ^ n-/F((/)). 

Proof. By routine inductions on r. □ 
2.3. a-equivalence 

The use of permissive-nominal terms allows us to 'just quotient' S5mtax by a-equivalence. 
We can do this for both level 1 variable symbols (atoms) and level 2 variable symbols 
(unknowns). 

Definition 2.15. Call a relation TZ on terms and on propositions a congruence when it is 
closed imder the following rules:^ 

ViTZ Si 1 < i < n r TZ s {f : {a)T, r,s : a) 



(rl,...,r„)7^(sl,...,s„) f (r) 7^ f (s) 



[a]r TZ [a]s (j) ^ ij; n <!)' ^ i)' 

r TZ s (P : a, r, s : a) (j)TZ (j)' 

p(^)7^p(s) \/x.(j)nyx.(f)' 

Definition 2.16. Write (a b) for the (level 1) swapping permutation which maps a to 6 
and & to a and all other c to themselves. Similarly, provided sort{X) — sort{Y) and 
pmss{X) — pmssiY), write {X Y) for the (level 2) swapping. 

Define a-equivalence on terms and propositions to be the least equivalence re- 
lation that is a congruence and is such that: 

{a,b^fa{r)) {X,Y ^ fV{<j>)) 
{ba)-r^^r {Y X)-<P <f> 



^We do not assume a congruence is an equivalence relation. This is because in a more general context we 
are interested in rewriting relations, which satisfy the rules below but are not equivalence relations. 
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Example 2.17. We a-convert X and a in yX.P{[a]X). 

Let sort(Y) = sort{X) and pmss{Y) = pmss{X). Suppose b ^ pmss{X). Using (a b) 
and {X Y) we deduce: 

\/X.P{[a]X) yX.P{[b]{ba)-X) 
(=P Vy.P([6](5a)-r). 

It is routine to convert this sketch into a full derivation-tree. 



Definition 2.18. For each signature <S, we take terms and propositions quotiented by 
Q-equivalence. 



2.4. Substitution 



Definition 2.19. A (level 2) substitution 6 is a fimction from unknowns to terms such 
that: 

• For all X, 9{X) : soH{X) and fa{e{X)) C pmss{X). 

• 9{X) = id-X for all but finitely many X. 

6 will range over substitutions. 



Definition 2.20. Define nontriv{6) by: 

nontriv{e) = {X \ e{X)y^id-X or X€fV{e{Y)) for some Y} 



nontriv{6) is unknowns that can be produced or consumed by 6, other than in the 
trivial manner that 6{X) = id-X. 

Definition 2.21. Define a substitution action by: 



ae 


= a 


{ri,...,rn)0 = 


{ne,...,rne) 


{[a]r)0 


= [a]{r0) 


{n-X)e = 


TT-e{x) 




= f{r0) 






±e 


= _L 






{P{r))e 


= P{re) 


{yx.(j))e = 


VX.(06i) {X nontriv{e)) 



Remark 2.22. Level 2 substitution r6 is capturing for level 1 abstraction [a]-. For example 
ii 9{X) = a then {[a]X)0 = [a]a. This is the behaviour displayed by the informal meta- 
level when we write "take t to be x in Xx.t". 



2.5. Sequents and derivability 

Definition 2.23. $ and v]/ will range over sets of propositions. We may write (j), $ and 
i>, (/) as shorthand for {(/>} U $ (where we do not insist that 4> ^ ^, that is, the union need 
not be disjoint). 
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(Ax) (_LL) 

$ h (i, vj/ $ ?/) h * (A h -0, * 
(^L) (^R) 

^, (j) ^ i' \- $i-0=>'(/', * 

{fa{r)Cpms.siX), r:soH{X)) ^ ^ ' (VR) 



Figure 1: Sequent derivation rules of full Permissive-Nominal Logic 



(Ax') (_LL) 

(^L) (^R) 

(^^^F* $F(^^?/;, * 

ifa{r)CpmssiX), r:sort{X)) ^ y ^ >> ^^^^^ 



$, VX,?i F * 



Figure 2: Sequent derivation rules of restricted Permissive-Nominal Logic 

• A sequent of restricted PNL is a pair $ F 5'. 

• A sequent of full PNL is a pair $ h 5*. 

Write /y($, *) = U{/^(0) I e U [j{fV{^j) I V e 



Definition 2.24 (Derivable sequents). Define the derivable sequents of full PNL and 
restricted PNL by the rules in Figures 1 and 2 respectively. 

The sole difference between Figures 1 and 2 is in the axiom rule, and is highlighted 
with a light blue rectangle. 

Notation 2.25. We may write $ F as shorthand for '$ F is a derivable sequent'. We 
may write $ If ^ as shorthand for '$ F is not a derivable sequent'. 
Similarly for $ h * and $ 1/ ^f. 

Figure 1 is the logic of [DGll, Gabllb]. Figure 2 is the logic we translate to HOL in 
this paper. The only difference is the 'tt' in the axiom rule: full PNL has it (see (Ax)), 
and restricted PNL does not (see (Ax")). Restricted PNL is a subset of full PNL, in the 
sense that (obviously) $ F \1/ implies <^ \~ (this suggests that the models of restricted 
PNL should be a superset of those of full PNL, which will indeed turn out to be the case; 
see Appendix A). 
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Why the difference? Because the translation to HOL identifies atoms with functional 
arguments. Atoms are symmetric up to permutation in full PNL; this is built into (Ax) 
in Figure 1. Functional arguments are typically not symmetric. 

We might try to translate full PNL to HOL by translating nl permutation instances of 
each r or cj), where n is some notion of the number of atoms in r or i/i (cf . capture typings in 
Definition 4.6); but that would be 'cheating' in the sense that most of the S5mtax would 
then be generated by a meta-level 'macro' which does nl amount of work. The issue 
here is not whether PNL can be encoded in HOL; the issue is whether it can be cleanly 
translated into HOL. These are related but distinct questions. 

To quickly see the difference in derivational power between full and restricted PNL, 
assume a name sort ly, a proposition-former P : v, and two atoms a,h : v. Then the 
difference in the entailment relations of PNL and restricted PNL can be summed up as 
follows: 

• P(a) h P(a) and P(a) F P(a). 

• P(a) h P(fe) but P(a) P P{b) . 

In Appendix A we see that this difference corresponds in models to proposition-formers 
being interpreted by equivariant functions (for full PNL) or not necessarily equivariant 
functions (for restricted PNL). 

It has to be this way: Definition 4.3 translates PNL terms and predicates to HOL 
terms and predicates. In Lemma 4.17 we illustrate why only restricted PNL can be 
translated to HOL by our translation: the derivability of full PNL is too strong for HOL 
derivability and the translation would not be sound. 

Note that this does not prove that other translations to HOL do not exist, but (as 
the discussion of n\ above suggests) we speculate that they would be significantly less 
natural. 

3. HOL syntax and derivability 

Higher-order logic (HOL) syntax and derivability should be familiar [Mil92, Far08, 
And86, Chu40]. We give the basics. 

3.1. Syntax 

We present HOL as a derivation system over simply-t5rped A-terms with constants 
and types for logical reasoning (like a type of truth-values and constant symbols like => 
and V). This is all standard. 

Definition 3.1. A HOL signature is a set V of base types, which includes a distinguished 
base type of truth-values o E V. will range over base types. A type-language is 
defined by 



/3::=/i| (A...,/?) 1/3^/3. 



It is not necessary to include products (/3i, . . . , /3„), but for the purposes of translat- 
ing PNL into HOL doing this is convenient. 

Definition 3.2. A term-signature over a HOL signature I? is a tuple {Q, type) where: 
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• G is a set of constants, which must contain elements _L, =>, and for every t5^e 

• type assigns to each g E G a type (3 in the type-language determined by V, such 
that type(l.) — o, type{^) = o ^ o ^ o, and type^ip) = {(3^6)^ o7 

A signature T is then a tuple {'D,G, type). 
We write g : /3 for type[g) = (3. 

Definition 3.3. For each signature T = (T), G, type) and each type /3 over V fix a count- 
ably infinite set of variables of that t5^e. 

X, Y, Z will range over distinct HOL variables.^ Write type{X) for the type of X. 

Definition 3.4. For each signature T define HOL terms over T by 

t::=X\XX.t\tt\it,...,t)\g 

and a typing relation by: 



t : /? {typeiX)^P') 


t' ■./3' t: P'^p : /3i . . . t„ : /3„ 


{type{g)^fi) 


XX.t : 13' ^13 


ft: 13 : (/3i,...,/?„) 


g : 



We now define a-equivalence. We would not normally be so detailed about this, but 
when we map PNL terms and propositions to HOL later, it will be useful to have been 
precise here: 

Definition 3.5. A permutation of HOL variables is a bijection tu such that nontriv (m) = 

{X I zu{X) X} is finite. Give HOL terms a permutation action w-t defined by: 

m-X^m{X) vj-\X.t^\vj{X).vj-t VD-{t't) = {vj-t'){vj-t) 

tU-{ti, . . . , tn) — {w-ti, . . . , W-tn) W-g^g 

Free variables are defined by: 

fv{X)^{X} fv{XX.t)^fv{t)\{X} fv{t't)^fv{t')uMt) 

fv{{tl,...,tn))^{j^fyit^) Hg)^0 

Call a relation TZ on HOL terms a congruence when it is closed under the following 
rules: 

tTlu t'TZu' tTZu tiTZu, {l<i<n) 



xx.tnxx.u t'tUu'u (^l,...,^„)7^(ul,...,u„) 



^The authors deprecate calling this 'higher-order abstract sjmtax' (HOAS), as sometimes happens. We 
should reserve that term for inductive types with binding constructed using constants of higher type like 
(A -> A) A (strong HOAS) or -s> A) ^ A (weak HOAS) [DH94, PE88]. 

A term : (/3 — >• o) — !> o (plus axioms) expresses the meaning of V [Chu40, Section 2] and would still 
have meaning if our syntax was, e.g. combinators. In contrast, the syntax of combinators could be represented 
without any need for higher-order syntax, since it does not have binders [HS08, Section 2]. 

''This means that if the reader sees 'X' this could refer either to a HOL variable or — recalling Defini- 
tion 2.3 — to a PNL unknown. We will make sure that it is always clear from context which is meant. 
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1 (hAx) 




\ (h^L) 


(h^R) 


E,^[X::^t]\^X {t:type{X)) 

(hVL) 

S, VX.^ X 


(hVR 

S 1^ vx.c, X 



Figure 3: Sequent derivation rules of Higher-Order Logic 



Define a-equivalence to be the least congruence that is an equivalence relation and is 
such that: 

iYX)-t =„t 

We quotient terms by a-equivalence and define capture-avoiding substitution t[X::^u] 
as usual. 

Definition 3.6. We write t: f] for t is a term and has type (3. We call t typable when t : 13 
for some type /3. 

We call a term a HOL proposition when it has type o. ^ and x will range over HOL 
propositions. 

Definition 3.7. S and X will range over sets of HOL propositions. We may write ^, S 
and S, f as shorthand for {^} U S. 

Write fV{E, X) = U{/^(0 I C e S} U \J{fV{x) \ X ^ X}. 

A sequent is a pair ^ 1^ X. 



Definition 3.8 (Derivable sequents). The derivable sequents are defined in Figure 3. 



4. The translation from nominal to functional syntax, and its soundness 

4.1. Translation from PNL to higher-order logic 

In this subsection we show how to translate a PNL signature S and propositions and 
terms in that signature, to a higher-order logic (HOL) signature and propositions and 
terms in that signature. We start by translating a PNL signature 5 to a HOL signature 
Ts- First, we set up some notation: 

Notation 4.1. Let D range over finite lists of distinct atoms. 

• Write a G D when a occurs in D. 

• Write D' C D when every element in D' occurs in D (disregarding order). Simi- 
larly if 5 is a set of atoms write DCS when every element in D occurs in S. 
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— a 


[(ri,...,r„)J" 


= (LrlJ^...,M") 


Lf(^)J" = 




L[a]rJ" 














= ± 






LP(r)J" = 

















Figure 4: Translation from PNL to HOL 



• If S* is a set of atoms write D n S for the list obtained by removing from D just 
those atoms not in S. Also write Dx as shorthand for D n pmss{X). 

• Write n-D for the list obtained by applying tt pointwise to the elements of D in 
order. 

• Write D, a for the list obtained by appending a; when we write this we include an 
assumption that a ^ D. 

• Write XD.t for Xdi. . . . \dn-t where D = [di, . . . , dn]. 

Definition 4.2. From a PNL signature S determine a HOL signature Ts by the following 
specification: 

• For every atoms-sort v inS assume a HOL base type /i^. 

• For every base sort r assume a HOL type fir . 

Translate sorts in S to types in Ts as follows: 





[t\ = Mr 


[("1, • 


•j"n)J = (LaiJ'--- ' L""J) 


[[iy]a\ =j^^la\ 









• For every term-former f : (a)r assume a HOL constant g, : [aj r. 

• For every proposition-former P : a assume a HOL constant gp : [aj o. 

• For every atom a : i/ assume a HOL variable a : v. 

It is convenient to assume this correspondence is a literal identity; i.e. that Aj^ is 
actually a subset of the set of HOL variables of type v, and that there are countably 
infinitely many HOL variables of type v that are not atoms. 

In particular, this means that every permutation vr in the sense of Definition 2.6 is 
also a permutation zu in the sense of Definition 3.5. 

• For every unknown X : a and list D assume a distinct HOL variable that is 
not an atom^ of type ve,^ [aj where vd^ is the sorts of the atoms in Dx, in 
order. 



Definition 4.3. Given a list D translate PNL terms and propositions in S to HOL terms 
and propositions in Ts (Definition 4.2) by the rules in Figure 4. 
(The notation n-Dx is defined in Notation 4.1.) 



'So X is one of the countably infinitely many HOL variables that are not atoms. 
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Example 4.4. Suppose Dx (Notation 4.1) is the list [a] and write X for Xjj. Assume a 
proposition-former equal of appropriate arity. Then: 



[id-X\" = Xa [(6 a)-X\" = Xb [[a]id-X\" = \a.{Xa) Wb]{b a)-X\" = \b.{Xb) 
[VX.equal([a]X, [b]{b ayx)\" = \/ XX.{equa\{\a.{Xa)){\b.{Xb))) 

Assuming appropriate axioms for equal, we would expect this to be true. Now assume 
Dy is the list [a, b] and write Y for Yjy^^. Then: 

[id-Y\" = Yab [{ba)-Y\" ^Yba [[a]id-Y \" ^ Xa.(Yab) Wb]{b a)-Y \" = \b.{Yba) 
[Vr.equal([a]y, a)-r)J" V Ar.(equal(Aa.(ra6))(A6.(r6a))) 

We would expect this to be false. What has changed with respect to the previous case, 
is that b is fresh for X but not for Y . 

Lemma 4.5. • Suppose a is an atom. Then ifa£ fv{[r\") then a e /a(r). 

• [n-r]" — n- [r\" (for n on the right-hand side considered as a permutation ofHOL vari- 
ables). 

As a corollary, the translation [r\" is well-defined. That is, ifr and s are a-equivalent then 

Proof. By routine inductions on r. The proof that fa{n-X) C fvdn-Xl") uses the as- 
sumption that Dx C pmss{X). The corollary follows; for more details see [DGMIO, 
Sections]. □ 

4.2. Capture typing 

In order to translate to HOL, some atoms are 'important' and others are not. This is 
expressed by a capture typing, an idea going back to [DGM09, DGMIO]. 

Definition 4.6. Define capture typings h r : A and D \- cj) : A inductively by the rules 
in Figure 5. Here D ranges over finite lists of distinct atoms as described in Notation 4.1, 
and A ranges over finite sets of atoms. 

If A — then we may omit the '-.A' and write just D \- r and _D h 0. Write D \- "if 
when D \- ip for every E 'i'. 

Remark 4.7. The interesting case in Figure 5 is the rule for tt-X. This ensures that D 
is large enough to record all the important atoms in tt or abstracted further up in the 
term — that is, those permitted in X — so that we do not lose information when we form 
[tt-XJ" = Xtt-Dx. This is made formal in Proposition 4.8, which is Theorems 8.12 
and 8.14 of [DGMIO]: 

Proposition 4.8. • IfD h r and Z) h s then [rj" = [sj" implies r = s (note that = denotes 
a-equality, because we quotiented terms by this relation), and similarly for (/> and ip. 

• If D\/ r then there exists s such that [r\" = [s\" yet r ^ s, and similarly for cj). 
Definition 4.3 maps PNL terms and predicates to t5^able HOL terms: 

Proposition 4.9. If r : a then for any D, [r\" : [a\, and [0J" : o. 
Proof. By inductions on r and 0. 

• The case a e A^. a why definition. 
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D\-r : A Dhr : A,a 


D h 


a : A 


D h f(r) -.A DV- [a]r : A 




(l<i<n) 


{{nontriv{-K) U A) n pmss{X) C D) 




.,r„):A 


D h TT-X : A 


Dhr:A 


(j): A 


D'r^: A D'r 4): A 


D h P(r) : A 




^ij-.A L:A DV- yx.cl) : A 



Figure 5: Capture typing 



• The case [a]r where a e A^. By inductive hypothesis [rj" : f3 for some type (3. It 
follows that [[a]rj" — Xa.[r\" : v ^ p. 

• The case tt-X. Suppose D h tt-X. It is routine to check that X^tt-Dx : lsort{X)\. 

□ 

4.3. Re-indexing capture contexts 

When we prove soundness of the translation (Theorem 4.16) there will be a problem, 
because we are interested in proving soundness of translating a sequent $ F ^E* but 
because we work by induction on derivations 11 we may have to translate all sequents 
in n, some of which might have 'extra' capturable atoms. 

We need to translate using a large F' and then re-index to F: 

Definition 4.10. Define a substitution [[F'l-^F] by: 

lr'^TliXr') = XD'x.{XrDx) 

iF'h^F] (y ) = Y all other Y 

Theorem 4.11. IfD' h r : A then [r\" ^^fs [r\"lD'^Dl 
Similarly, if D' ^ cj) : A then [0J" \(j)\"lD'^D\. 

Proof. By inductions on r and (j). We consider a selection of cases: 

• The case tt-X. We reason as follows: 

\_'K-X\"\D'^D\ = {XD'Tr-D'x)lD'^D\ Definition 4.3 
= {\D'x.{XdDx))tt-D'x Definition 4.10 
= XjjTr-Dx nontriv{-n) n pmss{X) C D'x 

• The case [a] r. We reason as follows: 

[[a]r\"lD'^Dl = {Xa.[r\"')lD'^Dl Definition 4.3 

^ XaflrflD'^Dj) taking a<^ D,D' 

= Aa.([rJ") ind. hyp. 

^ [Xa.r\" Definition 4.3 

• The case yX.cj). We reason as follows: 
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[\fX.(j)flD'^D} = (VAX. [^J"')!!?^!?! Definition 4.3 

^yXX.{i<l)flD'^Dl) fact 

= y\X.[<j)\" ind. hyp. 

= iyx.(j)\" Definition 4.3 



□ 



4.4. Soundness of the translation 

Recall that HOL terms have a permutation action -rr-t given by considering tt as a 
permutation on HOL variables and using Definition 3.5. Then: 

Lemma 4.12. If nontriv{-K) n fv{t) C D then {\D.t)'K-D =ai3 n-t (see Notation 4.1). 

Proof. A fact of a/3-conversion [DGMIO, Lemma 9.2]. □ 

Definition 4.13. Write r' : X when r' : sort{X) and /a(r') C pmss{X). 

Lemma 4.14. Suppose D\- r and D \- (f>. Suppose r' : X. Then: 

. [rlX-.-.^r'W" \r\"[X::=XD:,.\r'n. 
. L0[X::=r']J" [<f>nX::^\D^.[r' ^ 

Proof. By routine inductions on r and (j). We sketch two cases: 

• The case {n-X)[X::=r']. We must prove that 

[TT-rT^a^ {XDx.lr'\")n-D^. 
This follows by Lemmas 4.5 and 4.12. 

• The case P(r) [X::=r']. We must prove that 

LP(r[X::=r'])J" g,{[rn[X::^XD^.[r' H- 
This follows directly from the first part. □ 
Proposition 4.15. Suppose D h (/> and D h r' : X. Then [VX.^J" 1^ [(/)[X::=r']J". 

Proof. Using Lemma 4.14 and (hVL) from Figure 3. □ 



Theorem 4.16. The interpretation is sound: r/$ F 5* and £) h $ and D h then [$J" 1^ 



Proof. Choose D' such that D' h and D' h $' for every sequent ^f' h <&' appearing in 
n — it is not hard to verify that some such D' must exist. 

It is routine to verify by induction on 11 that [$'J" 1^ L^'J is derivable; the case of 
(VR) uses Proposition 4.15. So in particular [$J" 1^ [*'J". 

It follows, applying the substitution JD'h^D] to both sides and using Theorem 4.11, 
that [$J" 1^ □ 

Lemma 4.17. The interpretation for full PNL (Figure 1, with the stronger axiom rule) would 
not be sound. That is, there exist $ and and D such that £> h I? h '5, and $1-5', but 
[$J"^[*J". 

Proof. Consider a name sort v and a unary predicate P : v. Then P(a) h P(6) in full PNL, 
but it is not the case that gpa h gp6 in HOL. □ 
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5. Semantics 



For the reader's convenience we will clarify one aspect of the coming notation now: 
if the reader sees X this is a set with a permutation action; if the reader sees X= this is a 
set with a renaming action. There is no particular connection between X and X=. 

A typical renaming is [a::=5] (instead of a typical permutation (a b)). Formal defini- 
tions are in Definition 2.6 and 5.1. 

The reader may not be surprised by the use of sets with a permutation action — 
nominal techniques are based on these [GPOl]. But why the renaming action? We need 
renamings to make a function out of an atoms-abstraction, mirroring the clause [[a]?'J" = 
Xa. [rj" in Definition 4.3. 

In PNL models, an abstraction [a]r is modelled as Gabbay-Pitts atoms-abstraction 
[a]x, a sets-based construction from [GPOl] (Definition 5.26, in this paper). This is con- 
structed like a pair, from a and x, but destructed like a partial function the graph of which 
is evident in Definition 5.26. It is defined for fresh b but not for b E supp{x) \ {a}. 

When we translate [a]r to HOL we interpret [a]r as a function using A-abstr action. 
This suggests of our models that we translate a partial function [a]x to a total function. 
But then we have to give meaning to [a]x applied to b where b is not fresh. This is where 
renaming sets are used. 

We can then conclude by noting that every model of PNL can be transformed into 
a model of HOL, and in a compositional manner (Lemma 8.10). Completeness quickly 
follows. 

5.1. Categories of finitely-supported permutation and renaming sets 
5.1.1. Permutation and renaming sets 

Definition 5.1. Suppose p is a map from A to A. Define dom,{p) and img{p) by 

dom{p) — {a I p(a) ^ a} and img(p) — \p(a) \ a € dom{p)}. 

Echoing Definition 2.6, a renaming is a map p from A to A such that a E p{a) e A^ 

and nontriv{p) — dom{p) U img{p) is finite. Write M for the set of renamings. 

For a,b E Ai, let an atomic renaming [a::=6] map a to 6, 6 to b, and other c to them- 
selves. 

p will range over renamings. 



Definition 5.2. • A permutation set is a pair X = (|X |, •) of an underlying set 
|X I and a permutation action (P x |X |) — > |X | which is a group action; write it 
infix. 

(So id-x = X and n-^n'-x) = (tt o 'k')-x.) 
• A renaming set is a pair X^ = ( | X= | , • ) of an underlying set | X= | and a renaming 
action (M x |X^|) |X^| which is a monoid action; write it infix. 
(So id-x = X and p'{p' ^x) — [p o p')'X.) 



Definition 5.3. • Suppose X is a permutation set. Say that A C A supports x E |X°| 
when for all tt, tt' E P, if Va E A.i:{a) — n'{a) then tt-x = n'-x. 
• Suppose X^ is a renaming set. Say that A C A supports x E |X=| when for all 
p, p' E P, if Va E A.p{a) — p'{a) then p'X = p''X. 
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Lemma 5.4. If x & |X''|/|X^| has a supporting permission set (Definition 2.5) then it has a 
unique least supporting set which is equal to the intersection of all permission sets supporting 
X. We call this the support ofx when it exists, and write it supp{x). 



Definition 5.5. • Call x e |X |/|X-| supported when supp{x) exists. 

• Call X /X= supported when every element x e |X |/|X=| is supported. 



Lemma 5.6. • If x G |X' | then supp{'K-x) — TT-supp{x). 

• If X G |X^| then supp{p'x) C p'supp(x). 

As a corollary, if p is injective on supp{x) then supp{p-x) = p-supp{x). 

Proof. By routine calculations using the group / monoid action. □ 

Example 5.7. The reverse subset inclusion in Lemma 5.6 would not work. For instance, 
consider A x A U {*} with the 'exploding' renaming action such that: 

• p{*) — *■ 

• P-{a-,a) = {p{a),p{a)). 

. p-{a,b) = {p{a).p{b))iip{a)^p{h).'° 

• P-{a,h) = * if p(a) = p{b). 

Then supp{[a::=b]-{a^h)) = C {a} = [a::=b]-supp{{a,b)). 
5.1.2. Equivariant elements and maps 

Definition 5.8. Call an element x in |X |/|X^| equivariant when supp{x) = 0. 
X is equivariant when tt-x — x for all tt, or p'X ~ x for all p, respectively. 

Definition 5.9. • Call a function F e |X | — > |Y | equivariant when 

VTreP.VxelX- |.i^(7r-a;) = 7r-F(a;). 

• Call a function G € |X=| — > |Y^| equivariant when 

VpeM.Vxe|X=|.G(p-a;) = p-G{x). 

F and G will range over equivariant functions between pairs of permutation and 
renaming sets respectively. 

Lemma 5.10. 1. Suppose F e |X | — > |Y | is equivariant. Then supp{F{x)) C supp{x)for 
every x e |X'--'|. 

2. Suppose G e |X^| |Y=| is equivariant. Then supp{G{x)) C supp{x) for every x G 
|X=|. 

Proof. We consider only the second part. Suppose S supports x so that for all p and p' , if 
Va e S.p{a) = p'{a) then p-x = p'-x. The result follows if we note that P'G{x) = G{p'x) 
and p'-Gix) = G{p'-x). □ 



^"Recall from Definition 2.5 that by convention a and b are distinct. 
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Definition 5.11. • Write PmsPrm for the category with objects supported permu- 
tation sets and arrows equivariant functions between them. 
Henceforth, X and Y will range over objects in PmsPrm. 
• Write PmsRen for the category with objects supported renaming sets and arrows 
equivariant functions between them. 

Henceforth, X= and Y= will range over objects in PmsPrm. 



5.2. The exponential in PmsRen 

PmsPrm and PmsRen are both cartesian closed, but we only discuss exponentials for 
PmsRen in this paper The reader can find the constructions for PmsPrm e.g. in [Gablla, 
Section 9]. 

PmsPrm is used to give denotation to PNL only, while PrmRen is used to give a 
denotation to PNL and also to HOL. For this reason, the exponentials of PmsRen are of 
specific and immediate importance to us, but not those of PmsPrm. 

5.2.1. Functions 

Recall the definitions of dom and img from Definition 5.1. 



Definition 5.12. • Suppose X,Y e PmsPrm. Suppose / e |X | -> |Y | (/ is not 

necessarily equivariant). 

Call / supported when there exists a permission set Sf C A such that for every 
X e |X'' I and permutation tt e P, if nontriv{n) Ci Sj ~ then 

• Suppose X^,Y= £ PmsRen. Suppose / e |X=| — > |Y=| (/ is not necessarily 
equivariant). 

Call / supported when there exists a permission set Sf C A such that for every 
X £ |X^| and renaming p e M, if dom{p) Sf = then 



Remark 5.13. Definition 5.12 uses a word 'supported' for /, suggestive of Definition 5.3, 
even though / has no permutation/ renaming action. It will have a permutation/renaming 
action (Remark 5.14 and Definition 5.17), and then the terminologies will coincide (see 
Lemma 5.21). 

Remark 5.14. It is a fact that PmsPrm is cartesian closed and fimctions have the conjuga- 
tion action 

(7r./)(a:)-7r.(/(7r-i.a;)). 

and / is supported in the sense of Definition 5.12 if and only if it is supported as an 
element of |X | — > |Y | with the conjungation action. For more on this see [Gablla, 
GPOl]. 

Renamings p are not invertible, so we must work a little harder to define a renaming 
action. This is Definition 5.17. However, the end result is similar to the conjugation 
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action, in a sense made formal in Lemma 5.19 which is similar to an immediate corollary 
of the conjugation action that 7r-/(a;) ~ (7r-/)(7r-a;). 

Lemma 5.15. If / fs supported then supp{f{x)) Q Sj U supp{x)for every x £ |X=|. 

Proof. By contradiction. Suppose there exists a G supp{f{x)) \ {Sf U supp{x)). Choose h 
fresh (so 6 ^ supp{f{x))\JSf\Jsupp{x)). Then (6 a)-(/(x)) — f{{ba)-x) since a, 6 ^ 5*/ and 
a)-x) = f{x) since b,a ^ supp{x). It follows by Lemma 5.6 that {h a)-supp{f{x)) = 
SMpp(/(a:)), which is impossible. □ 

Definition 5.16. Suppose S* C A is a permission set and A C A is finite. Call pi and p2 a 
freshening pair of renamings for A with respect to S when: 

• dom(pi) = A and dom{p2) = img(pi). 

• (P2 ° Pi) {a) — a for all a E A. 

• dom{p2) n (S'UA) = 0. 

In words, pi maps the atoms in A to be outside S (and A), and p2 is an 'inverse' to 
Pi that puts them back. 

5.2.2. Renaming action 

Definition 5.17. (We continue the notation of Definition 5.12.) If / is supported then 
define /?•/ by 



{p-f){x) = {P2 O p)-f{pi-x) 



for some/any freshening pair of renamings pi and p2 for nontriv{p) (which is finite), 
with respect to supp{x) U Sf. 

Lemma 5.18. Definition 5.17 is well-defined. That is, it does not matter which freshening pair 
of renamings we choose. 

Proof. Consider two freshening pairs of renamings pi, p2 and Pi, P2- 

Let p'l map img{pi) to img{p[) and P2 map dom{p2) — img{p[) to dom{p2) — img{pi) 
in such a way that 

• p'i{a) = {p" o pi){a) for all a S dom{p[), 

• p'2{a) = (p2 o P2)(") for ^ G dom{p'2), and 

• nontriv{p'l) = img{pi) U img{p'i) and nontriv{p2) = dom{p2) U dom[p2). 
We reason as follows: 

(P2 ° P)'f{{p'i ° = {P2° P2° p)'f{{Pi° Pi° p)'x) Lems. 5.15 & 5.6, Def. 5.3 
= {P2° P2° P° Pi)'f{{pi° P)'x) dom{p'{) nSf = 
= iP2° P2° Pi ° p)'f{iPi° P)'x) nontriv{pi) C\ nontriv{p) — 
= (P2 ° p)'f{{pi ° p)'x) Lems. 5.15 & 5.6, Def. 5.3 

□ 

Lemma 5.19. Suppose x & |X=| and p is a renaming. Suppose f g |X=| — )• |Y^| fs supported. 
Then p-{f{x)) = {p-f){p-x). 
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Proof. Let pi and p2 be a freshening pair of renamings of nontriv{p) with respect to 

Sf U supp{x). 

Let p' be a renaming with nontrw{p') — img{pi) such that pi o p ^ p' o pi, this exists 
since pi is injective on nontriv{p) and 'freshens' this set to some fresh set of atoms. 
We reason as follows: 

{p-f){p-x) = (p2 o p)'f{{pi o p)-a;) Definition 5.17 

= (P2 ° p)'I{{p' ° Pi)'x) Definition 5.3 

= (p2 o p o p')'f(pi'x) nontriv{p') f] Sf = 

= {p ° P2)'fipi'x) Lem. 5.15, Def. 5.3 

= p-f{{p2 o Pi)-a;) dom{p2) nSf ^0 

— P'f{x) Definition 5.3 

□ 



5.2.3. Definition of the exponential 



Definition 5.20. Write =^ Y= for the renaming set with underlying set those / G 
|X^| — 7> |Y=| that are supported in the sense of Definition 5.12, and renaming action as 
defined in Definition 5.17. 



Lemma 5.21. If f is supported in the sense of Definition 5.12 then it is supported by Sf in the 
sense of Definition 5.3. Thus, X= is indeed a permissive-nominal renaming set. 

Proof. It suffices to show that if a ^ 5/ then {[a::—hyf ){x) — f{x). This follows by 
routine calculations. □ 

Lemma 5.22. PmsRen (Definition 5.11) is cartesian closed: 

• The exponential is X= Y^from Definition 5.20. 

• Products are given pointwise as in Definition 5.31. 

• The terminal object 1= is the singleton set {0} with the trivial action p-0 = 0. 

Proof. The bijection between (X= x Y=) — > Z= and X^ — > (X= =^ Y=) is given by currying 
and uncurrying as usual. Thus G : (X^ x Y^) — ^ maps to a; H' Xy.G{x, y). It is not 
hard to verify that if dom{p) n supp{x) = then 

{p'Xy.F{x,y))(y) = p'F{x,y) ^F(x,p-y) = {\y.F{x,y)){p-y). 

Thus Xy.G{x, y) is supported by supp{x) and is in Y= Z^. □ 

We take a moment to build a particular exponential which will be useful later. 

Definition 5.23. Suppose x e |X=| and a e A^. Write Xa.x e |Ai,| — > |X=| for the function 
mapping a to x and h to [a::—byx. 

Lemma 5.24. Xa.x G X=|. 
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Proof. It suffices to show that Xa.x is supported by supp{x) (in fact, it is also supported 
by supp{x)\{a]). Suppose dom{p)r\supp{x) — and z ^ {z is not necessarily distinct 
from a). Write p-a for the renaming such that (p-a) (b) = p{b) and (p-a) (a) — a. We sketch 
the relevant reasoning: 

P'{{Xa.x)z) = (p o [a::=z])'X = {[a::=p{z)] o [p-a))-x = [a::= p{z)]'X = {Xa.x){p-z) 

□ 

5.3. Atoms, products, atoms-abstraction, and functions out of atoms 
5.3.1. Atoms 

Definition 5.25. Write B for the nominal set and the permutation/ renaming set with 
underlying set {0, 1} and the trivial permutation /renaming action such that tt-x — 
x/ p'X = X always. 

We will be lax and write x e B for x e |B|. 

Write for the permutation set and the renaming set with underlying set and 
the natural permutation/ renaming action such that tt-x — Tr{x) / p-x = p{x) always. 
We will be lax and write x G A,y for x G |Ai, |. 



5.3.2. Atoms-abstraction in permutation and renaming sets 

Definition 5.26. Suppose X is a supported permutation set. Suppose x G |X | and 
a G A^. Define atoms-abstraction [a]x and [Aj,]X by: 



[a\x 


= {(a, x)} U {(6, {b a)-x) b G Ai,\supp{x)} 


|[A.]X°| 


= {[a]x 1 a G A^, a; G |X- 1} 


7r-[a]a; 


= [7r(a)]7r-a; 



Lemma 5.27. Suppose X is a supported permutation set. 

1. [Ai,]X is a supported permutation set. 

2. [a]x=[a\x' if and only ifx=x',for ogA^ and a;G|X''|. 

3. [a]a;=[a']a;' if and only if a' ^supp{x) and (a' a)-x—x',for a, a'^Ky and x, a;'G|X |. 



We do not need Definition 5.28 for the completeness proof but we include it for the 
interested reader to compare and constrast with Definition 5.26. 

Definition 5.28. Suppose X= is a supported renaming set. Suppose x G |X=| and a G A^. 
Define atoms-abstraction [a\x and [Ai,]X= by: 



[a]x — {(a, x)} U {(6, [a::—b]-x) \ b G Ki,\supp{x)} 
|[A,]X-| ={[a]x I aG A„ xG |X-|} 
yO'[a]a: = [ajp-a; (a ^ nontriv{p)) 

Remark 5.29. Definitions 5.26 and 5.28 look similar; both define graphs of partial func- 
tions defined on supp{x) \ {a}. However, the critical difference is that in renaming sets, 
this partial function can be extended to a total function in A^ — > X=. 

That is, [a]x G [Ai,]X= determines a total function which we could write Xa.x, map- 
ping a to a; and any other b to [a::~b]'X. We return to this in Lemma 7.3 where we 
show that the natural map from [Aiy]X= to A^, => X= is not surjective; so Definition 5.28 
identifies a 'small' and 'well-behaved' subset of the fimction space. 
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A cognate of Lemma 5.27 also holds for [A^]X": 
Lemma 5.30. Suppose X= is a finitely-supported permutation set. 

1. [Ai,]X= is a permissive-nominal set. 

2. [a]a;=[a]a;' if and only ifx=x',for a£A„ and a;G|X^|. 

3. [a]j:=[a']x' if and only ifa'^supp{x) and (a' a)-x—x' (or equivalently [a::=a']-x=x' ), for 
a, a'eA^ and x, x'€\X'-\. 

5.3.3. Product 

Definition 5.31. If X^ and X^ are supported permutation sets for 1 < i < n then define 
Xj^ X . . . X X^j and Xj" x . . . x X= by: 

|X- X . . . X X„| = |Xi| X ... X |X° I IX- X . . . X X=| = |X=| X . . . X |X-| 

Tr-{xi,...,Xn) = (tt-xi, . . . ,7r-a;„) p-(xi, . . . ,x„) = {p-xi, . . . , p-Xn) 

Lemma 5.32. • supp{a) — {a}. 

• supp{[a]x) — supp{x) \ {a}. 

• supp{{xi, . . . ,a;„)) = [j{supp{xi) \1 <i <n}. 

Proof. By routine arguments like those in [GPOl] or [Gablla, Corollary 2.30 & Theo- 
rem 3.11]. □ 

5.4. The free extension of a permutation set to a renaming set 

Notation 5.33. If ^ is an equivalence relation, [-]^ will denote the equivalence class of - 
in ^. 

Definition 5.34. We define a functor ren(-) from PmsPrm to PmsRen as follows: 

• Action of ren{-) on objects. 

X' maps to ren{X ) = {{Run x where p'[{p',x)]^ = [{p o p',x)]^ and ~ 

is the least equivalence relation such that: 



1. If p{a) — p'(a) for every a e supp{x) then (p, x) ^ {p' , x). 

2. {poTT,x) {p,TT-x). 



For convenience we will write [(p, x)]^ as p-x. 

• Action of ren{-) on arrows. 

An arrow F : X — > Y maps to ren{F) : ren{X-- ) — > ren{Y ) given by: 

ren{F){p-x) — p'F{x) 

Lemma 5.35. ren{F) is well-defined; that is, that if {p,x) ~ ip',x') then ren{F){{p,x)) ~ 
ren{F){{p',x')). 

Proof. Induction on the derivation that (p, x)^{p' , x'). We consider the two base cases: 

• The case p{a) — p'{a) for every a e supp{x). By part 2 of Lemma 5.10 also p{a) = 
p'{a) for every a e supp{F{x)). 

• The case {p o tt, x) ^ (p, ir-x). Then also (p o tt, F{x)) ^ {p, Tr-F{x)) and by equiv- 
ariance tt-F{x) — F{tt-x). □ 

26 



Remark 5.36. Rules 2 and 1 of Definition 5.34 can be viewed as a-conversion and garbage- 
collection respectively. Thus in p'X e ren{X ) we may without loss of generality (using 
rule 2) assume that dom{p) n S" = for any permission set S, and we may also assume 
(using rule 1) that dom{p) C supp{x). 

Lemma 5.37. 1 . ren (B) (for B considered a set with the trivial permutation action) is isomor- 
phic to B (for B considered a set with a trivial renaming action). 
1. ren{A„) (for with its natural permutation action) is isomorphic to (for Aj^ with its 
natural renaming action). 

Proof. We consider only the second part. This follows if we note that according to the 
rules for ~ in Definition 5.34, 

(p,a) {{p{a) a), a) {id,p{a)). 

□ 

Where we are dealing with more than zero or one atoms at a time, isomorphisms 
like those in Lemma 5.37 may fail: 

Lemma 5.38. ren(A^xA^) is not isomorphic to ren{Ai,) x ren{Aiy) (which is isomorphic to 
Proof. Consider the element [a::=5]'(a, &). □ 

6. Interpretation of permissive-nominal logic 

6.1. Interpretation of signatures 

Definition 6.1. Suppose {A, B) is a sort-signature (Definition 2.1). 

A PNL interpretation I for [A, B) consists of an assignment of a nonempty sup- 
ported permutation set to each t E B. 

We extend an interpretation I to sorts by: 



Definition 6.2. Suppose S = {A, B, T , V, ar, X) is a signature (Definition 2.3). 
A (non-equivariant) PNL interpretation I for S consists of the following data: 

• An interpretation for the sort-signature [A^ B) (Definition 6.1). 

• For every f G with ar(f) — {a')a an equivariant function P from \a'Y to \aY 
(Definition 5.9). 

• For every P eV with ariP) — a a supported function from Jap to {0, 1}. 
If every is equivariant, then call I a fully equivariant interpretation.^^ 



^^A non-eqmvariant PNL interpretation still interprets term-formers equivariantly. Only the predicates 
might not be equivariant. We do this in order to completely model (Ax*) from Figure 2, so that P(r) ^ 
P(7r-r); see Theorem A.9. Of course it is possible to imagine a notion of non-equivariant interpretation where 
term-formers are interpreted as non-equivariant functions. This would correspond to something else: namely, 
to losing the property that 7r-f(r) = f(7r-r). 

27 



6.2. Interpretation of terms 

Definition 6.3. Suppose I is an interpretation for S. A valuation ^ to I is a map on 
unknowns such that for each unknown X, 

• <r(X) e lsort{X)f, and 

• supp{',{X}) C pTnss{X). 

<^ will range over valuations. 

Definition 6.4. Suppose I is an interpretation of a signature S. Suppose is a valuation 
to I. 

Define an interpretation J? ]^ in S by: 













In-Xl = TT-.iX) 


I(ri,...,r„)F, = ([ril^_,.. 







Lemma 6.5. Ifr:a then frf^ e faf. 

Proof. By a routine induction on r. □ 
Lemma 6.6. ir-lrf^ = [[7r-r]^-. 

Proof. By a routine induction on r. We consider one case: 

• Thecasen'-X. By Definition 6.4 fn'-Xf^ = 7r'-<;(X). Therefore tt-Itt'-XJ = 7r-(7r'-?(X)). 
It is a fact of the group action (Definition 5.2) that 7r-(7r'-cr(X)) — {no tt')-(^(X), and 

of the permutation action (Definition 2.10) that 7r-(7r' X) = (tt o tt')-X. The result 
follows. □ 

Lemma 6.7. sMpp(|r]^_) C /a(r). 

Proof. By a routine induction on r. We consider one case in detail: 

• The case tt-X. fa(Tr-X) — Ti-pmss{X) by Definition 2.13. By assumption in Defini- 
tion 6.3 supp{<,{X)) C pmss{X). 

The cases of a, [a]r, and [a\r use parts 1, 2, and 3 of Lemma 5.32. The case of f uses part 1 
of Lemma 5.10. □ 



6.3. Interpretation of propositions 

Definition 6.8. Suppose <^ is a valuation to an interpretation I. Suppose X is an un- 
known and X E lsort{X)f is such that supp{x) C pmss{X). Define ';[X::=a;] by 

{<.[X::=x]){Y)^^{Y) and {<i[X::^x]){X) ^ x. 

It is easy to verify that <^[X::=a;] is also a valuation to I. 
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Definition 6.9. Suppose T is an interpretation. Define an interpretation of propositions 

by: 





= PIW^-) 






= 












= mm{|(/)]^_IY^^^^] 1 xelsoH{X)f, supp 


x)Cpmss{X)} 


We may identify {(, 


iif with a set of valuations {<; | J0]^- = 


1}. We discuss soundness 



and completeness in Appendix A. 

Lemma 6.10. . {rl^^^^^^^ = lr[X ::^r%. 

Proof. By routine inductions on the definitions of |r]^ and |(/)]^ in Definitions 6.4 and 6.9. 
We consider two cases: 

• The case of |7r-X]^|^, .^,.,|. We reason as follows: 

= t'l Definition 6.4 

= |7r-r']^_ Lemma 6.6 

= l{Tr-x)[X::=r']f^ Definition 2.21. 

• The case of [P('')l^|x::=,r reason as follows: 

IP(OK-|x::^,.Ti = P'ilrlix.Hr'n) Definition 6.9 

= P'{lr[X::=r']ll) Part 1 of this result 

= lP{r)[X::=r% Definition 6.9. 

□ 

Lemma 6.11. -f/c:(X) = ^'{X)for all X e fV{r) then |r]^_ = Irj],, and similarly for 0. 
Proof. By a routine induction on r and </). □ 

7. Interpretation of HOL 

For this section fix some PNL interpretation I of a PNL signature S. Recall from 
Definition 4.2 the definition of the corresponding HOL signature Ts. 

We have our interpretation of PNL and we have from Definition 4.3 a translation of 
PNL syntax to HOL syntax. We also have a functor from nominal sets to renaming sets 
(Definition 5.34). It remains to interpret HOL in renaming sets consistent with these 
interpretations and translations. This is Definitions 7.1 and 7.6, and the key technical 
result Lemma 8.10. Completeness follows quickly as a corollary (Theorem 8.12). 

Note that in the interpretation (Definition 7.1) the type — > /? is not necessarily 
interpreted as the set of all functions; it may be interpreted as a small subset of this 
function space. This is an old idea: since Henkin, models of HOL have been constructed 
to cut down on the full function-space (e.g. to create a complete semantics [And86, 
Section 55]; see also [BBK04] for a survey of non-standard semantics for HOL). 
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What we need to prove completeness of the S5mtactic translation [-J" is the existence 
of some interpretation of HOL with certain properties. This should not be mistaken as a 
commitment of nominal techniques to using this model of HOL always (unless we want 
to). 

7.1. Interpretation of types 

Recall the definition of a valuation (Definition 6.3) to an rntepretation I for the PNL 
signature S. Recall the definition of i;[X::^x] (Definition 6.8), and the interpretations of 
terms Irf^ (Definition 6.4) and propositions Ji/)]^ (Definition 6.9). 

We give similar definitions for HOL and renaming sets, culminating with Theo- 
rem 7.15 (soundness). 

Definition 7.1. We provide an interpretation HoiTs by: 



l[a\f = renilaf) 
H"=B 

|(/3i, . . . , I3r,)f = IPif X ... X {p, not of the form [a\ for at least one i) 

1/3' j3f = 1(3' f =^ ipf 1(3' or (3 not of the form [a\ ) 



Recall Y- from Definition 5.20 and x Y- from Definition 5.3L 

Remark 7.2. Not all function types are interpreted equally by Definition 7.1. 

If a type is the image of a PNL sort then we handle it using the first clause by wrap- 
ping it up in ren(-). Otherwise the interpretation is as standard: pairs to product; func- 
tion types to the (supported) function set. This case-split makes Lemma 8.10 work, 
which is central to Corollary 8.11 and to Completeness (Theorem 8.12). 

Why Lemma 8.10 could not work if we did not do this, is indicated in Lemma 7.3. 
Briefly, A,^ - contains 'exotic elements' making it bigger than [A^]-, which readers 
familiar with higher-order abstract syntax would expect [DH94, exotic terms]. Perhaps 
less familiar from Lemma 8.10 is that ren{-) does not commute with atoms-abstraction 
or even with cartesian product. That is, even e.g. Ki, x Ai, in PmsRen has an 'exotic 
element'. 

Lemma 7.3. 1. The natural map from ren{Ky) to Ky mapping p-a to p{a), is a bijection (cf. 
Lemma 5.37). 

2. The natural map from ren{X- x Y ) to ren{X-') x ren(Y ) mapping p-{x, y) to {p'X, p-y) 
is neither surjective nor injective. 

3. The natural map from ren([A^]X ) to [Ay]ren{X-') mapping p-[a]x where a ^ nontrw{p) 
to [a]p-x, is not surjective. 

4. The natural map from [Aj,]Y= to Y^ mapping [a]x to Xa.x (Definition 5.23), is not 
surjective. 

Proof. 1. By rule 2 of Definition 5.34. 
2. Take X^ = Y ' = A^,. The natural map from ren{X x Y ) to ren{X ) x ren{Y' ) takes 
id-{a, b) to (id-a, id-b). By equivariance it must map [a::=b]-{a, b) to [id-b, id-b). But 
then it is not injective, since [a::—b]-{a, b) ^ id'{b, b) in ren{X x Y ). 
Now take X = Y = A^, x A^. It is not hard to see that {[a::—by{a, b), id-{b, b)) is 
not in the image of the natural map, so the map is also not surjective. 
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3. Take X-' = x A,^ and consider [a][a::=6]'(a, b) e [Aj,]ren{X- ). 

4. Take X= = Y= = A^ for A^ considered a renaming set as in Definition 5.25. Con- 
sider the function [a::—b] £ A,y ^ A^, mapping a to b, b to b, and all other c to 
c. □ 

7.2. Interpretation of terms 

Definition 7.4. A (HOL) valuation g to "H is a map on variables X : j3 such that g{X) G 
J/?]". Q will range over valuations. 

Definition 7.5. Suppose q\s a valuation. Suppose X is a variable and x e \type{X)Y . 
Define a function q[X::—x\ by: 



[Q[X::=x]){b) = Q{b) {g[X::=x]){Y) = q{Y) and {q[X::=x]){X) = x 



It is easy to verify that q[X::=x] is also a valuation to T-L. 
Definition 7.6. Extend T-L to terms as follows: 

• H"(f?) = Q{a). 

• iXfig) = g{X). 

• |g,]" = reK(P) and [[gp]" = reK(PO (Definition 5.34). 

• = 0. 

• [[^^(e) = XxGM,y e M.max{l-x, y}. 

• IV/3)r(e) = Aa: e 1/3 ^ Bl".mzn{x2/ | y e M"}. 

• |Aa.t]''(£») = p'[a]x where It]"(p[a::=a]) — p'X provided that t : \a\ for some 
PNL sort a and a G A^ for some name sort v and (a-converting if necessary) 

a ^ Uxe^(t)\{a} 

• IXX.tfig) = Xx.ltf{g[X::^x\) provided that XX.t : P' ^ j3 where /3' ^ /3 is not 
equal to [[A^JaJ for any v or a. 

• = ([a::=6]op).a: provided that i : [aj for some PNL sort a, where = 
(by construction some such b always exists) and — P'[a]x, and (renam- 
ing if necessary) a ^ nontriv{p) U {6}. 

• ltuf{g) = [[t]''(£<)M''(6i) provided that t : ;9 for /3 not equal to [aj for any PNL sort 
a. 

• {{ti, . . .,tn)f{g) = {[jPi)-{xi,. . . ,a;„) provided that : [aJ for 1 < i < n, where 
Pil" = Pi'Xi, and we choose represenatives such that dom{pi) n dom{pj) — for 
all 1 < i 7^ j < n. 

• \{ti, . . . , tn)f{g) = ([tiFle), . . • , [^nr(£')) provided that there exists some i and {3 
such that ti : (3 and /3 is not equal to [aJ for any PNL sort a. 

Remark 7.7. Definition 7.6 propagates to terms the case-split noted in Remark 7.2. We 
treat terms differently depending on whether they populate the translation of a PNL 
sort, or not. We must do this because of how we interpreted t}rpes in Definition 7.1. 
Just to locate where we are, here is an schematic of the overall structure of the proof 
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of completeness: 



PNL syntax 



L-J" 



HOL syntax 



not possible 



PmsPrm 



ren(-) 



¥ 

PmsRen 



We translated PNL to HOL using [-J" in Definition 4.3. Ideally, to prove completeness 
we would give HOL a denotation directly in PmsRen. Unfortimately this is not possible 
(the dashed arrow) because [a\r translates to Aa. [r\" and has nominal denotation as an 
atoms-abstraction [a]|r]J; atoms-abstraction (Definition 5.26) is the graph of a partial 
function, whereas Aa. [rj" 'wants' to take denotation as a total function. So we use a 
commuting square as illustrated, and in PmsRen atoms-abstraction can be viewed as a 
total function, as noted in Remark 5.29. Definition 7.6 uses this, and fills in the right- 
hand arrow. 

Note that by forming this diagram we give a new semantics to PNL in PmsRen, and 
thus in particular give a semantics to nominal atoms-abstraction in which it becomes 
interpreted as a total function. 

The top arrow is Definition 4.3; the left-hand arrow is Definition 6.4; and the bottom 
arrow is Definition 5.34. 

Lemma 8.9 proves commutativity of the square. 

Lemma 7.8. Suppose a G Aj, and b G A^. Suppose a ^ supp{g{X)) for every X £ fv{r) \ {a} 
(including b). Then ltf{g[a::^id-b]) = [a::^b]-{ltf{g)). 

Proof. By a routine induction on t. We mention two cases: 

• The case t is a. Using the fact that id-b = [a::=b]-a in A^ with the action described 
in Definition 5.25. 

• The case Ms X for some HOL variable that is not an atom. By assumption a ^ 
supp{g{X)) and so by Definition 5.3, g{X) = [a::~b]-g{X). The result follows. □ 

Remark 7.9. Lemma 7.8 may fail if a G supp{g{X)). For instance, if g{X) = a where 
a G Ai, and type(X) = fi^ and X is not itself an atom, then [[X]''(£i[a::=zd'&]) = id-a yet 
[a::=b]-{lXf{g)) = [a::=b]-{id'a) = id-b. 

We need to check that the denotation of terms populates the denotation of their 
types, and that /3-equivalent terms receive equal denotations. 



Lemma 7.10. Ift : /3 then {tfig) e M". 

Theorem 7.11. liXX.t)ung) = ltf{g[X::=lufig)]). 

Proof. There are two cases, depending on whether XX. t : [[A^]aJ for some PNL sort, or 



• Thecaset : [a\. By Definition 7.6 = id 'b and |AX.i]"(gi) = p- [a] for some 

b, a, and x. a-converting if necessary assume X is equal to a which we choose 



not. 
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fresh (so a ^ nontriv{p) U {b} and a ^ supp{g{Y)) for every Y € fv{t) \ {a}). Then 
also by definition l{Xa.t)ul" (g) = {[a::=b] o p)'X. 

Thus it suffices to check that ([a::=6] o p)-x = p]"(p[a::=6]). This follows using 
Lemma 7.8. 

• The case t : (3 where j3 is not equal to [a\ for any PNL sort a. This is as standard. □ 
7.3. Soundness 

Lemma 7.12. If giX) = g'{X)forall X e fV{t) then ltf{g) = ltf{g'). 

Proof. By a routine induction on terms. □ 

Lemma 7.13. ltf{g[X::=luf{g)]) = lt[X::=u]f{g). 

Proof. By a routine induction on t. We mention two cases (bearing in mind that in HOL, 
a variable X : v may be an atom in Ai,): 

• The case t equals X equals a e Kyfor some atom a. 
By Definition 7.6, {af {g[a::=luf {g)]) = M"((?)- 

• The case t equals XY.t'. 

We assume Y ^ fv{u), so {XY.t')[X::—u] — \Y.{i'{X::~v}\), and use the inductive 
hypothesis. □ 

Definition 7.14 (Validity). Call the proposition ^ valid in H when |Cl"(£') = 1 for all g. 

Call the sequent ^i,...,^„ valid in "H when (^i A ... A^„) ^ (xi V ...M Xp) 

is valid. 

If this is true for all 'K then write , . . . , ^„ 1= xi , • ■ • , Xv 
Theorem 7.15 (Soimdness). IfR^Xis derivable then S 1^ X. 

Proof. Fix some interpretation "H. We work by induction on derivations (Figure 2). We 
sketch the two non- trivial cases: 

• The case of {^V). We check that u : typeiX) implies [VX.^f (g) < |C[X::=7i]f (g). 
We reason as follows: 

flX.^\g) = mm{IAX.^]«(£»)y | y G p?/pe(X)]«} Definition 7.6 

= min{\^''{g\X-.\=y\) \ y € ltype{X)f} Definition 7.6 

< Ung[X::=luf{g)]) Fact 

= l^[X::=u]f{g) Lemma 7.13 

In the second use of Definition 7.6 above, note that [A^Jo is never of the form 
[[Ai,]aJ for any a. 

• The case of (hVR). We use Lemma 7.12 and routine calculations on truth-values. 

□ 



8. Completeness of the translation of PNL to HOL 

We are now ready to prove completeness (Theorem 8.12) of the translation from Def- 
inition 4.3. The proof is subtle; notably Lemma 8.4 and the case of VX.c/) in Lemma 8.10 
are non-trivial. Some mathematical action also takes place in Lenuna 8.9 and the case of 
n-X in Lemma 8.10. 
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8.1. Renamings and HOL propositions 

We need a few technical observations about how renamings interact with the deno- 
tations of HOL propositions: 

Lemma 8.1. Suppose G : X= — > B. Then for every p, G{x) = 1 implies G{p'x) — 1. 

Proof. From equivariance and the fact that p-l = 1 in B. □ 

Corollary 8.2. Suppose F :X — > B. Then ren{F){p-x) = F{x). 
Notation 8.3. Write p-g for the valuation mapping X to p-g{X). 
Lemma 8.4. Suppose ^ is a HOL proposition. Then 

• KFCP'fi') = £iy£ry P und g, and 

• as a corollary, if X : (3 and x ^ {Pf then lif{g[X::=x]) = {^f {g[X ::= p-x\) . 

Proof. We work by induction on ^. For each ^ the corollary follows from the first part 
using a freshening pair of renamings (see Definition 5.16). For the first part, the case 
of gp is by Corollary 8.2. The case of V follows using the second part and some routine 
calculations. The cases of _L and are immediate. □ 

Remark 8.5. Lemma 8.4 expresses that |^]" does not examine atoms for inequality across 
its arguments (if it did then Lemma 8.4 could not hold, because p can identify atoms — 
make them become equal — in the denotations of variables in ^). The corollary is even 
more powerful: we can even apply renamings to the denotations of individual free 
variables, and still not affect validity. 

We use this in the case of in Lemma 8.10 to 'jettison' unwanted p in the deno- 
tation of the quantified variable. 

8.2. The completeness proof 

Notation 8.6. Suppose D = [di , . . . , d„] is a finite list of distinct atoms in A^^ , . . . , A^^ 
respectively. Suppose r : a is a PNL term. Then: 

• Write [D]r for the PNL term [di] . . . [d„]r. 

• Write [Anja for the PNL sort [A,,J . . . [A^„]a. 

Definition 8.7. Given a finite list of distinct atoms D, map a PNL valuation t to a HOL 
valuation D{'^) defined by 



£»(<;) maps X : a to id-[Dx\<.{X) l[[kDx\a\f and 
a : V to a G Ajy 



Lemma 8.8. Suppose D \- r. Then |L''J"1"(^('^)) — id'xfor some x e |[sort(r)J]".-'^ 

Proof. By a routine induction on Definition 7.6 using Definition 8.7 for the case that r is 
a variable X. □ 



■The point here is that [L»'J'T(^(?)) is not equal to p-x for any p that is non-injective on supp{x). 
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Compare Lemma 8.9 with Lemma 4.12: 

Lemma 8.9. If nontriv{T:) n supp{x) C D' then {id-[D']x)TT-D' = id-ir-x. 

Proof. From Definition 7.6 and rule 2 of Definition 5.34. □ 

Lemma 8.10 proves that the schematic diagram of Remark 7.7 does indeed commute: 
Lemma 8.10. Suppose r : a and cj) : a. Then: 



IfD h r then l[r\"f{D{<,)) ^ id-lrf{c;) 
lfD^c^thenmy{D{^)) = m{'^)- 



Proof. By inductions on r and (j). 

• The case n-X. We reason as follows, where a 



sort{X) and S — pmss(X): 

Definition 4.3 
Definition 7.6 
Definition 8.7 
Lemma 8.9, supp{<;iX))CS 
Definition 6.4 



= D{^){X)t:-Dx 
= {id'[DxUX))TT-Dx 
= id"K-<;{X) 

= idiTT-Xfi^) 

Note of the penultimate step that by assumption D h r, so by Definition 4.6 

nontrivij:) (iS Dx = DnS. 
The case [a]r. We reason as follows: 

ll[a]r\T{D(,)) = lXa.[r\r{D{,)) 



Definition 4.3 
Definition 7.6, a fresh, 

p-x^l[r\r{Di,)[a::=a]] 
Wlog p = id by Lemma 8.8 
ind. hyp. 
Definition 6.4 



= id'[a\x 

• The case P{r). We reason as follows: 

ILP(r)JT(i?(^)) = [gp(LrJ")l«(I?(0) Definition 4.3 

= g"Al[r\T{D{<^))) Definition 6.9 

^g;{tdirf{<;}) parti 

= ren{P'){id-lrf{^)) Definition 7.6 

= P'(W(0) Corollary 8.2 

= lP{r)f{<;) Definition 6.9 

• The case yx.cj). Write a = sort{X) and S ~ pmss{X). From Definition 7.6 

ILVX.0J1"p(O) - mzn{myiDi,)[X::=x]) \ x G IL[Adx]"JF} 



By construction in Definition 7.1 every x e 
[Dx] laf. By Lemma 8.4 we have 



^xl'^Jl" form p'x' for x' e 



rmn{mr{Dic;)[X::^x]) \ x E ILiAz^JaJf} 

= rmn{im"{Di^)[X::^id-x']) \ x' G HA^Jaf} 
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Using Lemma 8.4 again we assume without loss of generality that supp{[Dx\x') C 
pmss{X) \ Dx, and so: 

rmn{im{D{^)[X:.=id.[Dx]x']) \ x' € {[kD^M} 

= mm{l[(j)\Y{D{^)[X::=id'x"]) \ x" G {af , supp{x")Cpmss{X)} 

Now we unfold definitions and use the inductive h5^othesis that D{(;)[X::—id- [Dx] x"] = 
D{c,[X::—x"]), and we obtain: 

min{ll(t)\"f{D{(^)[X::=id-[Dx]x"]) \ x" G {af , supp{x")<Zpmss{X)} 

= min{ll(j3\''fiD{<i[X::=x"])) \ x" € [af , supp{x'')CpmssiX)} 
= min{|# (<;[X::=x"]) | x" g [af, supp{x")Cpmss{X)} 
= IVX.#(^) 

□ 

Corollary 8.11. Suppose $ = {^i, . . . , 0„} and * = {-tpi, . .., ■tpp} and Z? h $, and h \E' 
(Definition 4.6). Suppose I is a PNL interpretation and suppose ^i, . . . , F V'l, • ■ ■ , '0p !S not 
valid in X. 

Then 'Hfrom Definition 7.1 is a HOL interpretation and . . . , [(t>n\" 1^ LV'iJ"; • ■ • ) LV'pJ" 
is not valid in %. 

Proof. Suppose is such that A • • • A (pnfi^) = 1 and jV'i V • • • V ippfi'i) = 0. We use 
Lemma 8.10 for D{q) (Definition 8.7). □ 

Theorem 8.12 (Completeness). Suppose D ^ ^ and D ^ If ^ ^ then \ ^\" ^ [^\". 

Proof. We use the contrapositive of completeness of restricted PNL (Theorem A.9), then 
Corollary 8.11, then the contrapositive of HOL soundness (Theorem 7.15). □ 

9. Conclusions 

We have translated a logic with its own proof-theory, S5mtax, and sound and com- 
plete semantics. Any formal theory specified in the PNL fragment of this paper can be 
systematically, soundly, and completely translated to HOL. 

For the reader interested in nominal techniques, the main contribution of this paper 
is that in proving completeness of the translation, we have given another semantics 
of permissive nominal logic, besides the 'obvious' one in nominal sets. In this new 
semantics, a term of the form [a\t is interpreted as a function, like Xa.t would be in 
higher-order logic. This shows at the semantic level an implicit similarity between PNL 
and HOL (we discuss presheaves in the next Subsection). 

For the reader interested in higher-order logic, this paper is of interest because its 
image is readily identified with the higher-order patterns developed by Miller [Mil91] (so 
that, intuitively, restricted PNL could be thought of as a compact first-order logic and 
nominal semantics for higher-order patterns). 

In this semantics the sort [A] a is not interpreted as the set of all f imctions from atoms 
to the interpretation of a, but as a small subset of this fimction space. This is an old idea: 
since Henkin, models of HOL have been constructed to cut down on the full function- 
space (e.g. to create a complete semantics [And86, Section 55]). Moreover in weak 
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HO AS to avoid so-called exotic terms, function existence axioms must be weakened in 
HOL: for instance, the description axiom that entails the existence of a function for all 
functional relations has to be dropped (an alternative is to introduce an explicit modal- 
ity [DPSOl]). We now have a new view of these 'smaller' function-spaces as being the 
image of nominal atoms-abstractions via the semantic operations considered in this pa- 
per. 

9.1. Permissive nominal logic in perspective 

Permissive-nominal logic is the endpouit — so far — of an evolution as follows: 

• Fraenkel-Mostowski set theory and a first-order axiomatisation by Pitts introduced 
and described the underlying nominal sets models in first-order logic [GPOl, Pit03]. 

• Nominal terms introduced a dedicated syntax with two-levels of variable and 
freshness side-conditions [UPG04] . 

• Nominal algebra and aProlog inserted nominal terms S5mtax into formal reason- 
ing systems [GM09a, CU04]. 

• Permissive-nominal terms introduced permission sets [DGMIO]. 

• PNL introduced a proof-theory and universal quantifier for nominal terms un- 
knowns [DGIO, DGll]. 

Meanwhile in the semantics 

• Nominal renaming sets extended nominal sets from a permutation action to a re- 
naming action [GH08]. 

• A permissive version of nominal algebra (an equality fragment of PNL) was given 
semantics in PmsPrm and theories were translated from HOL [GM09b], but this 
was done purely S5rntactically without using nominal renaming sets and without 
considering imiversal quantification. 

The categories PmsPrm and PmsRen from Definition 5.11 are identical to the cate- 
gories of nominal sets and nominal renaming sets from [GPOl] and [GH08], except that 
here we insist on supporting permission sets instead of supportingyi'nffe sets. 

The reader familiar with presheaf techniques will see in PmsRen the category Sets^ 
(presheaves over the category of finite sets and functions between them). PmsRen cor- 
responds to presheaves (not quite over F, as discussed in the previous paragraph) that 
preserve pullbacks of pairs of monos [GH08] and because of this it admits an arguably 
preferable sets-based presentation. (In the same sense, PmsPrm corresponds to Sets^.) 

If for the sake of argument we set aside the issues of finiteness and preserving pull- 
backs of monos, then this paper can be summed up as follows: PNL, and thus nominal 
terms, can be given a semantics in something that looks like Sets"^. This semantics is 
functional in that atoms-abstractions in Sets*^ can be naturally identified with total func- 
tions, though not all of them, which is good. HOL can also be given a semantics in 
something that looks like Sets^, and in such a way that it overlaps with the semantics 
of PNL, as described in Definition 7.6 and 8.10. We describe and exploit that overlap, in 
this paper. 

PmsRen from Definition 5.11 is related to the category of (finitely-supported) nomi- 
nal renaming sets from [GH08]. Here, the difference that x e |X=| need not have finite 
support is significant because it is impossible with a finite renaming to rename supp{x) 
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to be entirely disjoint for some other permission set S. The definitions and proofs in Sub- 
section 5.2 are delicately revised with respect to those in [GH08, Section 3]. Thus this 
paper contributes to the use of non-finitely-supported objects rn nominal techniques, 
building on [GH08] and also on Cheney's and the second author's considerations of 
infinitely supported permutation sets [Che06, Gab07]. 

A similar construction as rn Subsection 5.4 has been considered, also in the con- 
text of names, though tersely, in Fiore and Turi's paper on the semantics of name and 
value passing [FTOl]. The reader can compare for example the final two paragraphs of 
Subsection 1.3 in [FTOl] with Definition 5.34 from Subsection 5.4. Fiore and Turi want 
substitutions to model bisimulation in the presence of name-generation and message- 
passing; we want renamings to model function application on names. The underlying 
technical demands overlap and are similar. 

Fiore and Turi's framework includes the possibility of arbitrary substitutions for 
atoms (not just what we call renamings: substitution of atoms for atoms). This was ap- 
parent in [FTOl] and is developed greatly in subsequent work by Fiore and Hur [FHIO]. 
We hjrpothesise that from the point of view of PNL, their logic and semantics corre- 
spond to PNL enriched with substitution actions like those in [DGIO, GM06a], but this 
remains to be checked. 

Levy and Villaret translated nominal unification problems to higher-order unifica- 
tion problems [LV08]. A similar but more detailed analysis, translating solutions and 
introducing the same notion of capturable atoms as used in the capture t5^ings in this 
paper, appears in the paper which introduced permissive nominal terms [DGMIO]. See 
also a journal version of Levy and Villaret's paper [LVll], which expanded on their pre- 
vious work by eliminating freshness contexts (in a similar spirit to PNL, we feel, though 
the details are different). This paper can be viewed as a very considerable extension, re- 
finement, and generalisation of these works: this paper is their grandchild, so to speak, 
via two other papers [DGIO, GM09b]. 

The extension of nominal sets to nominal renaming sets is free. This is touched on in 
Lemma 7.3 when we note that [a::=b]'{a, b) and id-{b, b) are distinct elements in ren{Au x 
A^) in PmsRen; this happens because the free construction 'suspends the non-injectivity' 
of [a::=b] on (a, 5). This is as things should be, in order to obtain completeness. The 
second author has considered a more radical non-free construction [Gab09], which has 
the effect of extending atoms-abstraction to a total function and in which [a::~b]-x really 
does identify a with 6 rn a; in a suitable sense. 

As we have emphasised, we translate a fragment of PNL to HOL. In [DGIO] we 
considered full PNL with equivariance, which corresponds to strengthening the axiom 

rule (Ax'^) in Figure 2 from ^ p ^ to h 7r-(/), * illustrated rn Figure 1. This 
internalises the equivariance assumed in Definition 6.2 and allows us to derive e.g. 
P(a) h P{b). 

In the journal version [DGll] of [DGIO] we strengthen PNL further by allowing a 
s/ifft-permutation. This is a non-finitely-supported bijection on A similar to a de Bruijn 



^^Conversely, Fiore and Hiir would view PNL as a restriction of tlieir logic without substitution. The two 
points of view are consistent with each other, of course, and it is interesting that different authors are converg- 
ing on similar systems. It might be worth mentioning that deduction modulo by the first author with Hardin 
and Kirchner was designed to mediate between these kinds of design decisions while retaining proof-theory 
[DHK98]. 
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shift function t [ACCL91, Subsection 2.2]. Its effect in this paper is to make all permission 
sets isomorphic up to bijection (e.g. U {a} = tt-A* for some n, where a ^ A^) and this 
deals with a subtle restriction in the power of imiversal quantification discussed for 
instance in [DGIO, Example 2.29]. Briefly, shift lets us derive yX.P{X) h P{Z) where 
pinss{X) — A"^ and pmss{Z) = A^ U {a} where a ^ A"^, which was not possible in the 
PNL from [DGIO]. 

Neither equivariance nor shift are translated to HOL in this paper; more on this in 
the next subsection. 

9.2. Future work 

We have translated Permissive-Nominal Logic to Higher-Order Logic. The transla- 
tion is not surjective: all variables are at most second-order; all constants are at most 
third-order; higher types are not used; and in fact all terms in the image of the trans- 
lation are X-patterns [Mil91]. In addition, the translation is not total: we have dropped 
equivariance. 

This is with good reason. We have not been able to simulate equivariance in HOL — 
not without 'cheating' by simply adding it (and causing a blowup in the size of propo- 
sitions). We have not proved this impossible, but we hypothesise that it cannot be done. 
We further hypothesise (based on preliminary calculations not included in this paper) 
that HOL augmented with the V-quantifier from [MT03] would allow us to express 
equivariance. 

It is not currently clear how to extend HOL with a s/zffif^-like permutation as discussed 
in [DGll, Gabllb]. This seems reasonable since shift would correspond to an infinite 
renaming. 

Some natural theories in PNL might correspond to other fragments of HOL. Notably, 
it is not known what relation exists between HOL and PNL with the theory of atoms- 
substitution from [GM08, DGll]. 
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A. Soundness and completeness of restricted PNL with respect to non-equivariant 
models 

A.l. Validity and soundness 

Definition A.l (Validity). Suppose T is a non-equivariant interpretation of a signature 
S (Definition 6.2). Call the proposition (f) valid in I when [[(/)]^ = 1 for all ^. 

Call the sequent 0i, ...,(/)„ h tpi, tl;^ valid inZ when (0i A ... A (/>„) ^ (-01 V ... V V'p) 
is valid. 

If this is true for all non-equivariant I then write (pi, . . . , (f>n P V'l i ■ • ■ : V'p- If this is 
true for all equivariant I then write 0i ,...,</)„ N V'l V'p- 

Theorem A.2 (Soundness). 1. If^V^^is derivable then $ P 
2. Tf'Jj h fs derivable then $ N 

Proof. Fix some interpretation I. We work by induction on derivations. The case of 
(VL) uses Lemma 6.10. The case of (VR) uses Lemma 6.11. Other rules are routine by 
unpacking definitions. 

If the interpretation I is fully equivariant then it can further be proved that Ji/i]^ = 
|7r-(/)]^ always, so that (Ax) is valid. If I is not fully equivariant, then just (Ax") is 
valid. □ 

Theorem A.3. (Cut) is admissible in both full and restricted PNL. 

Proof The proof for full PNL is in [DGll, Section 7] or [Gabllb, Subsection 11.2]; the 
derivation rules are almost exactly those of first-order logic, and so is the proof of cut- 
elimination. The argument for restricted PNL is identical; we note that none of the 
cut-eliminating transformations add tt to axiom rules unless they are already there, so 
the same reductions on derivations work also for the restricted system. □ 
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A.l. Completeness 

In [DGll, Gabllb] we prove completeness of full PNL with respect to equivariant 
models, by means of a Herbrand construction (a model built out of S3mtax). We can 
leverage this result to concisely prove completeness of restricted PNL with respect to 
non-equivariant models, without having to repeat the model constructions. 

For this subsection, fix the following data: 

• A signature S = {A, B, T, V, ar, X). 

• A formula such that If 0. 

Definition A. 4. Define a new signature 5^ as follows: 

• = A and B"^ = B U {t'^} (so we have the same atom sorts and the same base 
sorts, plus one extra base sort t^). 

• J^" = T and = V (so we have the same term- and proposition-formers). 

• If f e J" then ar^{f) = ar(f) (the term-formers are identical). 

• If P e P and fflr(P) = a then ar'^(P) = {T'",a) (so proposition-formers take one 
extra argument of sort r'^). 

• X"^ — X U {Z^g I i e N, 5 a permission set} where sort{Zf g) = t"^ (so we add 
unknowns of sort t'^). 

Now fix some particular unknown Z'" with sort{Z'^) — and such that /a((/)) C 
pmss{Z^). 

Definition A.5. Define a translation -'^ from PNL propositions in the signature S to PNL 
propositions in the signature by mapping P(r) to P{Z^ , r) and extending this in the 
natural way to all predicates. 

Our proof depends on the following technical lemma about restricted PNL: 

Lemma A.6. if $ h * fs derivable in full PNL then there exists a derivation 11 such that every 
sequent h in n satisfies /«($') U C /a(<I>) U /«(*). 

Proof. By cut-elimination of restricted PNL (Theorem A. 3) if a derivation of $ h exists 
then a cut-free derivation exists. We now examine the derivation rules in Figure 2 and 
the definition of free atoms in Definition 2.13 and note that the rules (=>L), (=>R), (VL), 
and (VR) do not increase the free atoms moving from below the line to above the line.^'* 

□ 

Lemma A.7. vr-r — it' -r if and only ifn{a) — it' [a) for every a € fa{r), and similarly for 4>. 
See [Gabllb, Lemma 3.2.9] or [DGMIO, Lemma 4.15]. 

Proposition A.8. If h 'H'' in PNL and /a($) U /a(*) C pmss{Z'') then $ F ^f. 

Proof. Using cut-elimination of full PNL (Theorem A. 3) assume a cut-free PNL deriva- 
tion n of h 5''^. Because of Lemma A. 6, the condition on free atoms holds of every 
sequent in 11. Because of the form of the derivation rules in Figure 1, 11 cannot instantiate 

So we can go through the entire S5mtax of 11 and delete Z"^ to obtain a structure that 
is a candidate for being a derivation in restricted PNL of <f> F ^E*. 



(VR) and (VL) can increase the free unknowns — ^but not the free atoms. 
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The only non-trivial thing to check is that valid instances of (Ax) are transformed 
to valid instances of (Ax'^). Suppose we deduce ^'^,tp'^ h tt' ■ip'^ , 'i'^ using (Ax). By 
assumption n'-^'" — ^''^ for some V"'. It follows that tt'-Z'^ ~ id-Z^ (recall from Sub- 
section 2.3 that we quotient by a-equivalence) and so by Lemma A. 7 that 7r'(a) = a for 
all a e pmss{Z^). By assumption /a ($) U /a(^') D fa{ip) U /a(^') C pTnss{Z'^) and so by 
Lemma A. 7 — ip' , and we are done. □ 

Theorem A.9. J/$ P * then $ F 

Proof. We prove the contrapositive, that if $ If '5 then $ If ^l*. Suppose $ If ^I^. Using the 
constructions above we augment to a signature S"^ (Definition A.4) with some Z'^ with 
/«($) U /a(^') C pmssiZ""). Thus by Proposition A.8 1/ -^"^ . 

By completeness of full PNL with respect to equivariant models ([DGll, Theorem 3.45], 
[Gabllb, Theorem 9.4.15]) we have that k/'^^ . So there exists an equivariant model I 
and valuation (r to I such that = 1 and = 0. It is now routine to convert I into 
a non-equivariant model of the original signature S by taking P"(a;) = P^(<j(Z'^), x). □ 



43 



